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What is claimed is: 
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1. A monVLtoring device disposed for thwarting denial of 
ervice attacks \on the data center, the monitoring device 

comprising : 

a plurality lof probe devices that are disposed to collect 
statistical inf orynation on packets that are sent between the 
network and the dkta center; 

a cluster held coupled to each of the plurality of probe 
devices, the dustier head receiving collected statistical 
information from tlhe probe devices and determining from the 
collected information whether the data center is under a denial 
of service attack. 

2. The devide of claim 1 wherein the cluster head is 
coupled to the plurality of probe devices through a dedicated, 
private network. 
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3. The devicel of claim 2 wherein the cluster head further 
comprises : 

a communication Iprocess that communicates statistics 
collected in the probe devices with a control center, and that 
receives queries or instructions from the control center. 
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4. The device ot claim 3 wherein the monitoring device is 
a gateway device and farther comprises: 

a process to install filters to thwart denial of service 
attacks by removing network traffic that is deemed part of an 
attack. 

5. The device of dlaim 1 wherein the probes are 
physically deployed in lipe in the network. 
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6. The de\^ce of claim 1 wherein the probes execute a 
joining process that allows a probe to join a cluster, 



7. The device of claim 1 wherein the cluster head 
comprises a process to aggregate traffic from the various probes 
and to produce logls and apply detection heuristics. 



8 . A method 
victim data center 

monitoring ne 
between the victim 

communicating 
network, to a cluster 



9. The method 
communicating 
control center ove 



10. The methc 
analyzing network 

network traffic; arid 

filtering network 

network traffic, dulring 



11. The methold 
and the probe devi 



of thwarting denial of service attacks on a 
coupled to a network comprises: 
work traffic through probes that are disposed 
data center and the network; and 
data from the probes, over a dedicated 
head device. 



of claim 8 further comprising: 
data from the cluster head device to a 
a hardened network. 



d of claim 8 further comprising: 

traffic statistics to identify malicious 

traffic, which is identified as malicious 
analyzing of the network traffic. 
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of claim 8 wherein the cluster head device 
s comprise a clustered gateway. 



12. The methop of claim 11 wherein when a new cluster 
probe is added to 
comprises : 

dynamically di 
join the cluster 
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tie clustered gateway, the method further 
scovering the new cluster probe that seeks to 
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13. 



The met 



performing intelligent traffic analysis and filtering to 



identify the mali 
traffic . 



cious traffic and to eliminate the malicious 



14. The method 
traffic analysis 
is performed by t 



a cluster he 
a plurality 



od of claim 8 further comprising: 



of claim 13 wherein performing intelligent 
s controlled by the cluster head and filterin 
le probes. 



15. A gateway for thwarting denial of service attacks on 
victim comprises: 

spd; and 

)f probes disposed between a network and a 
victim, the probers collecting statistical data, for performance 
of intelligent traffic analysis and filtering by the probed, to 
identify malicious traffic for thwarting denial of service 
attacks , 



16. The gatfeway of claim 15 wherein the gateway includes 
process to insert I filters to discard packets that are deemed to 
be part of an attack. 



17. A monitoring device disposed for thwarting denial of 
service attacks on| the data center, the monitoring device 
comprising: 

a device that I collects statistical information on packets 
that are sent between the network and the data center over a 
plurality of links end that produces statistical information 
from network traffic over the plurality of links to determine 
from the statistical information whether the data center is 
under a denial of service attack. 
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18. The monitoring device of claim 17 wherein the 
monitoring device is coupled to a control center through a 
hardened network. 

19. The monitoring device of claim 17 wherein the device 
further comprises : 

a communication process that communicates statistics with a 
control center, land that receives queries or instructions from 
the control centler. 

20. The monitoring device of claim 17 wherein the 
monitoring device is a gateway device and further comprises: 

a process th install filters to thwart denial of service 
attacks by removing network traffic that is deemed part of an 
attack. 1 

21. The monlitoring device of claim 20 wherein the gateway 
comprises: I 

a process tolaggregate traffic from the various links and 
to produce logs amd detection heuristics. 

22. A method of thwarting denial of service attacks on a 
victim data center! coupled to a network comprises: 

monitoring network traffic over a plurality of links 
between the victim! data center and the network; and 

communicating! data , over a hardened network, to a control 
center. I 

23. The methdd of claim 22 wherein monitoring is performed 
by probe devices thlat sample network traffic at a constant rate. 




-22- 



Patent Application 
Attorney Docket No. 12221-011001 



« 



* 



24. The method of claim 23 wherein the sampled network 
traffic by the probes is delivered to a clustered head for 



traffic analysis, 
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sampled network trp 
constant rate irre 



ffic to the cluster head at a substantially 
spective of traffic on the monitored network. 



f claim 23 wherein the probes send the 
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